wpa_supplicant/NM fallback to WPA?

Jouni Malinen j at w1.fi
Wed May 7 04:24:50 EDT 2008


On Tue, May 06, 2008 at 11:33:00PM +0200, Johannes Berg wrote:
> On Tue, 2008-05-06 at 23:16 +0200, Johannes Berg wrote:
> > Yeah, true. I guess we'll just have to make NM do the fallback ;)
> 
> Except... wpa_supplicant can make a much more informed choice here.

Well, yes, it could. However, this would add need for state in network
blocks to remember whether the previous attempt failed with RSN and then
try WPA the next time. This sequence is not exactly something one would
expect to see either since the AP looks exactly like it would if it were
under an active downgrade attack and the most prudent thing to do here
would be to warn the user of possible attack and then refuse to connect
(unless overridden by user decision)..

I can certainly add a specific ctrl_iface message to notify external
programs of this type of error and give them an option to ask the user
for an informed decision on trying to use the AP anyway even if it could
potentially mean successful downgrade attack (e.g., attacker forcing
TKIP to be used as the pairwise cipher when the AP could have used
CCMP).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list